Last week, LastPass released an update to fix a major security bug exposing your credentials entered on a previously visited site. This vulnerability was discovered by a security researcher with Project Zero, Google’s elite bug-hunting team.
What we know about the LastPass Vulnerability
If you have not updated to the latest version of LastPass—that is, version 4.33.0 from September 12—your passwords are vulnerable to cyberattacks. We would recommend that you manually update your LastPass browser extension or mobile application ASAP.
The reason to take such concern with this vulnerability?
As part of Project Zero’s mission, the Google team releases details on the vulnerability publically to pressure organizations like LastPass to fix their software. That means that hackers now have detailed information on how to exploit this vulnerability on any user that has not yet updated their LastPass version.
How does the bug work?
The bug relies on executing malicious JavaScript code alone. That means that you really would not have to interact with an attack to make your password vault vulnerable to the exploit. A hacker can get in without you taking any action—these types of exploits are really serious ones because of this.
How can an exploit like this come to a full-blown attack?
Attackers may lure someone using LastPass onto a malicious website and execute the exploit to extract credentials on a previously visited site. This really isn’t too hard nowadays. An attacker can easily disguise a malicious link behind what seems to be a regular URL. They have had a lot of success tricking users into clicking on the link and—in many cases—have already stolen large numbers of passwords.
Cybersecurity experts rate this vulnerability severe—the highest ranking for exploits.
Here are some things to consider:
Don’t abandon your password manager—instead of abandoning your password manager—which actually does have a job in your day to day life, make sure your software is up to date.
With growing suspicions around LastPass (they have had several data breaches in the past couple of years), you might want to opt for a less visible management tool.
We recommend using KeePass and storing your KeePass file in a secure place in your cloud-based file management system. Having a password management system is FAR better than having nothing but a text file!
Make sure you are changing your passwords—criminals are getting better at cracking passwords. Consider changing very sensitive logins regularly (at least every 30 to 90 days).
On personal accounts, consider at least an annual change to your password to ensure they remain secure. The beauty with using a password management tool is you won’t need to memorize sensitive passwords on the spot—rather, simply access your tool.
Inform yourself on password security—one of the biggest ways to protect your organization and your personal information is to be aware of what is going on with password security. Consider attending our next webinar on Password Cybersecurity coming up in October and getting your teams involved as well.